This feature is the result of an investigation from Joanna Stern and Nicole Nguyen for the Wall Street Journal. They found out that thieves have been stealing money and accessing sensitive data that is supposedly stored securely on an iPhone and the related iCloud account.
The reason why the passcode is such a critical piece of information is that you can use it to unlock a phone and change some settings. Even when Face ID (or Touch ID) is turned on, you can still use the passcode as a fallback method to unlock a phone and change settings.
iPhone thieves have been taking advantage of that possibility to go to bars late at night and talk to strangers to get their passcodes from them.
For instance, an iPhone thief told Joanna Stern that he would tell his victims that he wanted to add them on Snapchat. As it’s often easier to enter your contact details directly on someone else’s phone instead of saying it out loud, the thief would say that he can type his username directly.
When the person would hand over the phone, the thief would lock the phone and say that the iPhone is locked. He then just asked for the passcode and remembered it for later.
After stealing a phone, the passcode can be used to unlock the device and change the Apple ID password in the phone settings. This way, Find My iPhone can be disabled, meaning that the target can’t remotely wipe their device.
Many iPhone users also store passwords, such as bank app passwords, in their iCloud Keychain as well as credit card details in their Safari autofill preferences. Thieves can also open encrypted notes in the Notes app to see if you’ve been storing your social security numbers in there.
They can also use Apple Pay directly. Once again, the passcode can be used if Face ID fails — thieves can also register their own face in Face ID if they have the device passcode.
Apple gives you an hour to remotely wipe your device
As a protection mechanism, Apple has introduced stolen device protection in iOS 17.3. When it’s turned on, some actions will require Face ID or Touch ID biometric authentication, such as accessing stored passwords and credit cards.
In addition to requiring Face ID or Touch ID authentication, changing your Apple ID password, changing your passcode and turning off stolen device protection also require a security delay. When you first try to perform this action, your iPhone tells you that you have to wait for at least an hour to make critical change.
This way, if someone steals your device, you have the opportunity to wipe your iPhone remotely using another device to make sure that your data remains secured. There’s one exception, though. If you’re in a familiar location, such as your home or your work, there’s no need to wait an hour to perform a critical change.
It’s not perfect, but Apple is trying to strike the right balance between security and convenience. You can head over to Settings > Face ID & Passcode > Stolen Device Protection
to turn on this new security feature.